jfinn
/
jitsi_app_c0
Sledovat 1
Oblíbit 0
Rozštěpit 0
Zdrojový kód Úkoly 0 Požadavky na natažení 0 Vydání 0 Wiki Aktivita
Nelze vybrat více než 25 témat Téma musí začínat písmenem nebo číslem, může obsahovat pomlčky („-“) a může být dlouhé až 35 znaků.
6266 Revize
2 Větve
Strom: 41e0d782ce
Větve Značky
${ item.name }
Vytvořit větev ${ searchTerm }
z „41e0d782ce“
${ noResults }
jitsi_app_c0/resources/prosody-plugins/token/util.lib.lua

util.lib.lua 15KB
Historie Surový

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407 
  1. -- Token authentication

  2. -- Copyright (C) 2015 Atlassian

  3. 

  4. local basexx = require "basexx";

  5. local have_async, async = pcall(require, "util.async");

  6. local hex = require "util.hex";

  7. local jwt = require "luajwtjitsi";

  8. local http = require "net.http";

  9. local jid = require "util.jid";

  10. local json = require "cjson";

  11. local path = require "util.paths";

  12. local sha256 = require "util.hashes".sha256;

  13. local timer = require "util.timer";

  14. 

  15. local http_timeout = 30;

  16. local http_headers = {

  17.     ["User-Agent"] = "Prosody ("..prosody.version.."; "..prosody.platform..")"

  18. };

  19. 

  20. -- TODO: Figure out a less arbitrary default cache size.

  21. local cacheSize = module:get_option_number("jwt_pubkey_cache_size", 128);

  22. local cache = require"util.cache".new(cacheSize);

  23. 

  24. local Util = {}

  25. Util.__index = Util

  26. 

  27. --- Constructs util class for token verifications.

  28. -- Constructor that uses the passed module to extract all the

  29. -- needed configurations.

  30. -- If confuguration is missing returns nil

  31. -- @param module the module in which options to check for configs.

  32. -- @return the new instance or nil

  33. function Util.new(module)

  34.     local self = setmetatable({}, Util)

  35. 

  36.     self.appId = module:get_option_string("app_id");

  37.     self.appSecret = module:get_option_string("app_secret");

  38.     self.asapKeyServer = module:get_option_string("asap_key_server");

  39.     self.allowEmptyToken = module:get_option_boolean("allow_empty_token");

  40. 

  41.     --[[

  42.         Multidomain can be supported in some deployments. In these deployments

  43.         there is a virtual conference muc, which address contains the subdomain

  44.         to use. Those deployments are accessible

  45.         by URL https://domain/subdomain.

  46.         Then the address of the room will be:

  47.         roomName@conference.subdomain.domain. This is like a virtual address

  48.         where there is only one muc configured by default with address:

  49.         conference.domain and the actual presentation of the room in that muc

  50.         component is [subdomain]roomName@conference.domain.

  51.         These setups relay on configuration 'muc_domain_base' which holds

  52.         the main domain and we use it to substract subdomains from the

  53.         virtual addresses.

  54.         The following confgurations are for multidomain setups and domain name

  55.         verification:

  56.      --]]

  57. 

  58.     -- optional parameter for custom muc component prefix,

  59.     -- defaults to "conference"

  60.     self.muc_domain_prefix = module:get_option_string(

  61.         "muc_mapper_domain_prefix", "conference");

  62.     -- domain base, which is the main domain used in the deployment,

  63.     -- the main VirtualHost for the deployment

  64.     self.muc_domain_base = module:get_option_string("muc_mapper_domain_base");

  65.     -- The "real" MUC domain that we are proxying to

  66.     if self.muc_domain_base then

  67.         self.muc_domain = module:get_option_string(

  68.             "muc_mapper_domain",

  69.             self.muc_domain_prefix.."."..self.muc_domain_base);

  70.     end

  71.     -- whether domain name verification is enabled, by default it is disabled

  72.     self.enableDomainVerification = module:get_option_boolean(

  73.         "enable_domain_verification", false);

  74. 

  75.     if self.allowEmptyToken == true then

  76.         module:log("warn", "WARNING - empty tokens allowed");

  77.     end

  78. 

  79.     if self.appId == nil then

  80.         module:log("error", "'app_id' must not be empty");

  81.         return nil;

  82.     end

  83. 

  84.     if self.appSecret == nil and self.asapKeyServer == nil then

  85.         module:log("error", "'app_secret' or 'asap_key_server' must be specified");

  86.         return nil;

  87.     end

  88. 

  89.     --array of accepted issuers: by default only includes our appId

  90.     self.acceptedIssuers = module:get_option_array('asap_accepted_issuers',{self.appId})

  91. 

  92.     --array of accepted audiences: by default only includes our appId

  93.     self.acceptedAudiences = module:get_option_array('asap_accepted_audiences',{'*'})

  94. 

  95.     if self.asapKeyServer and not have_async then

  96.         module:log("error", "requires a version of Prosody with util.async");

  97.         return nil;

  98.     end

  99. 

  100.     return self

  101. end

  102. 

  103. --- Returns the public key by keyID

  104. -- @param keyId the key ID to request

  105. -- @return the public key (the content of requested resource) or nil

  106. function Util:get_public_key(keyId,asapKeyServer)

  107.     if asapKeyServer == "" then

  108.         asapKeyServer = self.asapKeyServer)

  109.     end

  110.     local content = cache:get(keyId);

  111.     if content == nil then

  112.         -- If the key is not found in the cache.

  113.         module:log("debug", "Cache miss for key: "..keyId);

  114.         local code;

  115.         local wait, done = async.waiter();

  116.         local function cb(content_, code_, response_, request_)

  117.             content, code = content_, code_;

  118.             if code == 200 or code == 204 then

  119.                 cache:set(keyId, content);

  120.             end

  121.             done();

  122.         end

  123.         local keyurl = path.join(asapKeyServer, hex.to(sha256(keyId))..'.pem');

  124.         module:log("debug", "Fetching public key from: "..keyurl);

  125. 

  126.         -- We hash the key ID to work around some legacy behavior and make

  127.         -- deployment easier. It also helps prevent directory

  128.         -- traversal attacks (although path cleaning could have done this too).

  129.         local request = http.request(keyurl, {

  130.             headers = http_headers or {},

  131.             method = "GET"

  132.         }, cb);

  133. 

  134.         -- TODO: Is the done() call racey? Can we cancel this if the request

  135.         --       succeedes?

  136.         local function cancel()

  137.             -- TODO: This check is racey. Not likely to be a problem, but we should

  138.             --       still stick a mutex on content / code at some point.

  139.             if code == nil then

  140.                 http.destroy_request(request);

  141.                 done();

  142.             end

  143.         end

  144.         timer.add_task(http_timeout, cancel);

  145.         wait();

  146. 

  147.         if code == 200 or code == 204 then

  148.             return content;

  149.         end

  150.     else

  151.         -- If the key is in the cache, use it.

  152.         module:log("debug", "Cache hit for key: "..keyId);

  153.         return content;

  154.     end

  155. 

  156.     return nil;

  157. end

  158. 

  159. --- Verifies issuer part of token

  160. -- @param 'iss' claim from the token to verify

  161. -- @return nil and error string or true for accepted claim

  162. function Util:verify_issuer(issClaim)

  163.     for i, iss in ipairs(self.acceptedIssuers) do

  164.         if issClaim == iss then

  165.             --claim matches an accepted issuer so return success

  166.             return true;

  167.         end

  168.     end

  169.     --if issClaim not found in acceptedIssuers, fail claim

  170.     return nil, "Invalid issuer ('iss' claim)";

  171. end

  172. 

  173. --- Verifies audience part of token

  174. -- @param 'aud' claim from the token to verify

  175. -- @return nil and error string or true for accepted claim

  176. function Util:verify_audience(audClaim)

  177.     for i, aud in ipairs(self.acceptedAudiences) do

  178.         if aud == '*' then

  179.             --* indicates to accept any audience in the claims so return success

  180.             return true;

  181.         end

  182.         if audClaim == aud then

  183.             --claim matches an accepted audience so return success

  184.             return true;

  185.         end

  186.     end

  187.     --if issClaim not found in acceptedIssuers, fail claim

  188.     return nil, "Invalid audience ('aud' claim)";

  189. end

  190. 

  191. --- Verifies token

  192. -- @param token the token to verify

  193. -- @param secret the secret to use to verify token

  194. -- @return nil and error or the extracted claims from the token

  195. function Util:verify_token(token, secret)

  196.     local claims, err = jwt.decode(token, secret, true);

  197.     if claims == nil then

  198.         return nil, err;

  199.     end

  200. 

  201.     local alg = claims["alg"];

  202.     if alg ~= nil and (alg == "none" or alg == "") then

  203.         return nil, "'alg' claim must not be empty";

  204.     end

  205. 

  206.     local issClaim = claims["iss"];

  207.     if issClaim == nil then

  208.         return nil, "'iss' claim is missing";

  209.     end

  210.     --check the issuer against the accepted list

  211.     local issCheck, issCheckErr = self:verify_issuer(issClaim);

  212.     if issCheck == nil then

  213.         return nil, issCheckErr;

  214.     end

  215. 

  216.     local roomClaim = claims["room"];

  217.     if roomClaim == nil then

  218.         return nil, "'room' claim is missing";

  219.     end

  220. 

  221.     local audClaim = claims["aud"];

  222.     if audClaim == nil then

  223.         return nil, "'aud' claim is missing";

  224.     end

  225.     --check the audience against the accepted list

  226.     local audCheck, audCheckErr = self:verify_audience(audClaim);

  227.     if audCheck == nil then

  228.         return nil, audCheckErr;

  229.     end

  230. 

  231.     return claims;

  232. end

  233. 

  234. --- Verifies token and process needed values to be stored in the session.

  235. -- Token is obtained from session.auth_token.

  236. -- Stores in session the following values:

  237. -- session.jitsi_meet_room - the room name value from the token

  238. -- session.jitsi_meet_domain - the domain name value from the token

  239. -- session.jitsi_meet_context_user - the user details from the token

  240. -- session.jitsi_meet_context_group - the group value from the token

  241. -- session.jitsi_meet_context_features - the features value from the token

  242. -- @param session the current session

  243. -- @return false and error

  244. function Util:process_and_verify_token(session)

  245.     return self:process_and_verify_token_with_keyserver(session,"")

  246. end

  247. function Util:process_and_verify_token_with_keyserver(session,asapKeyServer)

  248.     if asapKeyServer == "" then

  249.         asapKeyServer = self.asapKeyServer

  250.     end

  251. 

  252.     if session.auth_token == nil then

  253.         if self.allowEmptyToken then

  254.             return true;

  255.         else

  256.             return false, "not-allowed", "token required";

  257.         end

  258.     end

  259. 

  260.     local pubKey;

  261.     if asapKeyServer and session.auth_token ~= nil then

  262.         local dotFirst = session.auth_token:find("%.");

  263.         if not dotFirst then return nil, "Invalid token" end

  264.         local header = json.decode(basexx.from_url64(session.auth_token:sub(1,dotFirst-1)));

  265.         local kid = header["kid"];

  266.         if kid == nil then

  267.             return false, "not-allowed", "'kid' claim is missing";

  268.         end

  269.         pubKey = self:get_public_key(kid,asapKeyServer);

  270.         if pubKey == nil then

  271.             return false, "not-allowed", "could not obtain public key";

  272.         end

  273.     end

  274. 

  275.     -- now verify the whole token

  276.     local claims, msg;

  277.     if asapKeyServer then

  278.         claims, msg = self:verify_token(session.auth_token, pubKey);

  279.     else

  280.         claims, msg = self:verify_token(session.auth_token, self.appSecret);

  281.     end

  282.     if claims ~= nil then

  283.         -- Binds room name to the session which is later checked on MUC join

  284.         session.jitsi_meet_room = claims["room"];

  285.         -- Binds domain name to the session

  286.         session.jitsi_meet_domain = claims["sub"];

  287. 

  288.         -- Binds the user details to the session if available

  289.         if claims["context"] ~= nil then

  290.           if claims["context"]["user"] ~= nil then

  291.             session.jitsi_meet_context_user = claims["context"]["user"];

  292.           end

  293. 

  294.           if claims["context"]["group"] ~= nil then

  295.             -- Binds any group details to the session

  296.             session.jitsi_meet_context_group = claims["context"]["group"];

  297.           end

  298. 

  299.           if claims["context"]["features"] ~= nil then

  300.             -- Binds any features details to the session

  301.             session.jitsi_meet_context_features = claims["context"]["features"];

  302.           end

  303.         end

  304.         return true;

  305.     else

  306.         return false, "not-allowed", msg;

  307.     end

  308. end

  309. 

  310. --- Verifies room name and domain if necesarry.

  311. -- Checks configs and if necessary checks the room name extracted from

  312. -- room_address against the one saved in the session when token was verified.

  313. -- Also verifies domain name from token against the domain in the room_address,

  314. -- if enableDomainVerification is enabled.

  315. -- @param session the current session

  316. -- @param room_address the whole room address as received

  317. -- @return returns true in case room was verified or there is no need to verify

  318. --         it and returns false in case verification was processed

  319. --         and was not successful

  320. function Util:verify_room(session, room_address)

  321.     if self.allowEmptyToken and session.auth_token == nil then

  322.         module:log(

  323.             "debug",

  324.             "Skipped room token verification - empty tokens are allowed");

  325.         return true;

  326.     end

  327. 

  328.     -- extract room name using all chars, except the not allowed ones

  329.     local room,_,_ = jid.split(room_address);

  330.     if room == nil then

  331.         log("error",

  332.             "Unable to get name of the MUC room ? to: %s", room_address);

  333.         return true;

  334.     end

  335. 

  336.     local auth_room = session.jitsi_meet_room;

  337.     if not self.enableDomainVerification then

  338.         -- if auth_room is missing, this means user is anonymous (no token for

  339.         -- its domain) we let it through, jicofo is verifying creation domain

  340.         if auth_room and room ~= string.lower(auth_room) and auth_room ~= '*' then

  341.             return false;

  342.         end

  343. 

  344.         return true;

  345.     end

  346. 

  347.     local room_address_to_verify = jid.bare(room_address);

  348.     local room_node = jid.node(room_address);

  349.     -- parses bare room address, for multidomain expected format is:

  350.     -- [subdomain]roomName@conference.domain

  351.     local target_subdomain, target_room = room_node:match("^%[([^%]]+)%](.+)$");

  352. 

  353.     -- if we have '*' as room name in token, this means all rooms are allowed

  354.     -- so we will use the actual name of the room when constructing strings

  355.     -- to verify subdomains and domains to simplify checks

  356.     local room_to_check;

  357.     if auth_room == '*' then

  358.         -- authorized for accessing any room assign to room_to_check the actual

  359.         -- room name

  360.         if target_room ~= nil then

  361.             -- we are in multidomain mode and we were able to extract room name

  362.             room_to_check = target_room;

  363.         else

  364.             -- no target_room, room_address_to_verify does not contain subdomain

  365.             -- so we get just the node which is the room name

  366.             room_to_check = room_node;

  367.         end

  368.     else

  369.         -- no wildcard, so check room against authorized room in token

  370.         room_to_check = auth_room;

  371.     end

  372. 

  373.     local auth_domain = session.jitsi_meet_domain;

  374.     local subdomain_to_check;

  375.     if target_subdomain then

  376.         if auth_domain == '*' then

  377.             -- check for wildcard in JWT claim, allow access if found

  378.             subdomain_to_check = target_subdomain;

  379.         else

  380.             -- no wildcard in JWT claim, so check subdomain against sub in token

  381.             subdomain_to_check = auth_domain;

  382.         end

  383.         -- from this point we depend on muc_domain_base,

  384.         -- deny access if option is missing

  385.         if not self.muc_domain_base then

  386.             module:log("warn", "No 'muc_domain_base' option set, denying access!");

  387.             return false;

  388.         end

  389. 

  390.         return room_address_to_verify == jid.join(

  391.             "["..string.lower(subdomain_to_check).."]"..string.lower(room_to_check), self.muc_domain);

  392.     else

  393.         if auth_domain == '*' then

  394.             -- check for wildcard in JWT claim, allow access if found

  395.             subdomain_to_check = self.muc_domain;

  396.         else

  397.             -- no wildcard in JWT claim, so check subdomain against sub in token

  398.             subdomain_to_check = self.muc_domain_prefix.."."..auth_domain;

  399.         end

  400.         -- we do not have a domain part (multidomain is not enabled)

  401.         -- verify with info from the token

  402.         return room_address_to_verify == jid.join(

  403.             string.lower(room_to_check), string.lower(subdomain_to_check));

  404.     end

  405. end

  406. 

  407. return Util;